It was only a matter of time before fines came down, as the people charged with enforcing the privacy rule exercised their powers newly vested by the HITECH Act.

The fine was big, no doubt, but the even bigger stunner was that it wasn’t levied because of a data breach. Instead, $1.3 million of it was for Cignet’s withholding of medical records from 41 patients who demanded them, and $3 million was for not cooperating with an OCR investigation.

To me, it sounded kind of familiar. Flashes of déjà vu fired in my HIMSS-addled brain. I’d heard this before, but where? Where?

Only after getting home, decompressing from the amazingly fruitful trip and reviewing some old recordings, did I find it. Last June, I covered a Healthcare Stimulus Exchange conference session that featured a couple of HIPAA all-star speakers: David Mayer, the OCR’s acting senior adviser for health information privacy; and Amy Leopard, a partner at the Cleveland law firm, Walter & Haverfield LLP.

In the session, Mayer explained how most HIPAA cases end up being resolved informally and without fines. HIPAA cases typically unfold with the covered entity realizing it had let slip some patient information or had violated the law in some other way, and working out a corrective plan with OCR to prevent it from happening again.

A few cases end up getting resolved formally, and a subset of those include penalties for noncooperation on the part of the covered entity. This HIPAA enforcement power isn’t used often because covered entities usually aren’t willfully circumventing HIPAA and want to fix the problem in their facility that caused the violations.

“In the regulation,” Mayer said, the covered entity “has to cooperate with OCR. We will provide in certain places, technical assistance. We have actually had a number of cases where, when we finally got in there, the covered entity had done nothing wrong — but they had stonewalled us, they had given us a bad time. So, there was a violation of the cooperation portion, even though there was no breach.” He didn’t mention Cignet by name, of course, but OCR was working on this case when he said this.

OCR clearly is setting a precedent with the Cignet penalties — saying, in effect, “If you don’t cooperate, you’ll pay.” Literally. And from our point of view, this wasn’t a borderline call: When OCR requested the 41 patients’ records, Cignet sent them, all right, along with 4,500 others in 59 boxes, according to a Washington Post report. It was a brazenmove that backfired. It takes taxpayer money and time to sift through that kind of paper. Make OCR do it, apparently, and they’ll send you the bill.

About This Blog

Health IT Pulse is the blog for the writers and editors of SearchHealthIT.com, which covers health care technology and electronic health records infrastructure, applications, management and compliance.

Your password has been sent to:cguarrera@techtarget.com

TechTarget publishes media for information technology professionals. More than 100 focused websites enable quick access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our live and virtual events give you direct access to independent expert commentary and advice. At the Health IT Exchange, the online community and dedicated networking portal of SearchHealthIT.com, you can share solutions with health IT peers and get mission critical advice from industry experts. Ask questions, get answers and begin connecting with your colleagues today.